General Best Practices

Whenever information is sent from server to a browser the default behavior is to cache the response to speed up access in the future. While speed is important, security is paramount. Cached information can be stored persistently by the browser on the device making it vulnerable if the device becomes compromised; a malicious app may gain access to the cached data.

In most cases assets like static graphics are safe for the browser to cache. As a best practice, you should not cache any information secured behind a login. This can lead to information being inadvertently available to malicious apps.

To ensure that responses from the web server are not stored persistently by the browser (either the native browser or webview) add the following header to HTTP(s) responses that are being returned.

Instructions for including these headers with the response should be in either your web server documentation or the programming framework that you are using to code your app.

Cookies and Security

If you are using SSL to protect the security of the communication between you and your users, it is also important to ensure that cookies you are storing cannot be used in unintended ways. For instance if you are saving a login token in a cookie, you should mark that cookie as Secure. Similarly, if a server is sending a cookie that should not be accessible to JavaScript that is running on the page it should be marked as HttpOnly, preventing certain classes of cross-site scripting attacks. (Note: HttpOnly Cookies are part of the HTML5 specification.)

Amazon Web App Cache APIs

If your web app is distributed by Amazon, you can clear the cache of the embedded browser by using an available API. For example, when a user logs out of your app, you can force any saved data to be purged from the device. While this is not a substitute for not caching critical information in the first place, it can be a useful tool to ensure that you are doing everything possible to preserve a customer’s trust by securing their data.

The Amazon Web App Cache Object

Before calling any of the Amazon Web App Cache APIs it is important to check that the object exists. This will ensure proper functionality if your apps run without a wrapper.

amzn_wa.Cache.clearAllCookies() - Clears all cookies from the embedded browser.

amzn_wa.Cache.clearExpiredCookies() - Forces the erasure of expired cookies from the embedded browser. (These wouldn't be sent to the server on a request but may be kept on the device until garbage collection removes them).

amzn_wa.Cache.clearSessionCookies() - Clears all session cookies from the embedded browser. Session cookies exist when no expiration date is used when the cookie is initially created.